Comment 1 for bug 1860252

User B shouldn't be sharing their password with User A. With the above change, the change_user_password API can be called without a token, this was done due to users being unable to change their own expired passwords without admin support.

The controller code above was removed/refactored with the move to flask. (Rocky/Stein)

https://github.com/openstack/keystone/blob/master/keystone/api/users.py